Security DevCenter
oreilly.comSafari Books Online.Conferences.


Anatomy of an Attack: The Five Ps
Pages: 1, 2, 3, 4

Automated vulnerability scanners

Port scanning, fingerprinting, and determining software versions takes a considerable amount of time and some skill at rooting out information on the Internet. To make research easier, a number of tools are available that perform all these tasks automatically. There are expensive commercial solutions and free open source tools. While these tools were designed to make it easier for administrators to evaluate their security posture, they are a boon to the bad guys, too.

One open source tool has risen above the others (arguably including the commercial alternatives): Nessus. It can be downloaded from Nessus is free, manageable even by novice users, has clients for both Unix-based systems and Windows, and displays the data in an easy-to-understand format. It also suggests what measures to take to fix any listed problems. It should be noted that Nessus works with a client/server model and only a client is available for Windows systems. A server version exists, but it is a commercial solution from Tenable Security ( Nessus also includes Nmap and provides additional reports on OS detection, what ports are currently open, and so forth. Nessus should not be implicitly trusted. False positives are a frequent occurrence and corroborating evidence is suggested before taking aggressive measures against any system.

Because Nessus is manageable even by new Linux users, it is often abused. As a result, Nessus probes and scans readily show up in Snort alerts. There are a variety of Snort signatures that detect a typical Nessus scan. These are normally classified as attempted-recon and as such fall under a classtype 2 categorization or have a Medium severity. Nessus scans are serious infractions and should be considered a potential threat. Just because they are classtype 2 does not mean the information gathered may not affect you later.

There are currently four different methods of downloading and installing Nessus. You can install directly from the web site, by running a local script, or you can build from source. Some distributions have precompiled binaries available. Refer to the documentation to determine which method suits your environment.

Once the program is installed and a certificate and user are added, start the Nessus daemon on the local server with the command:

# /usr/local/sbin/nessusd -D & amp;

You will not need to reboot the machine upon starting this daemon. However, you should automate startup of the Nessus daemon on the local server after a reboot by placing this command on a line in the /etc/rc.d/rc.local file. Remember, the Nessus daemon must be running for the Nessus client to run. The client is typically run locally but can also be run on another system by connecting to the local daemon. Keep the Nessus application current with the latest plug-ins by running the command /usr/local/sbin/nessus-update-plugins. This command can be placed in a cron job and run nightly. Some users prefer doing this manually.

Start the Nessus client from the command line as a regular user (or by executing the Windows binary). You are warned that all dangerous plug-ins, or those that have the ability to crash a system, have been disabled. This is the suggested method of running Nessus initially. These dangerous plug-ins include checks that may cause a service or system to crash and should only be used as when downtime will not adversely affect your environment.

WARNING Be aware that the information obtained from scanning machines on your network can be potentially dangerous. In the hands of a malicious user, the knowledge gained might be used to crash scanned machines. Burn the reports to CD and store them in a safe location. This way the data is not modifiable and can be secured offsite and removed from a mounted drive. It can be referred to later when updates and patches have been completed on affected systems.

There are varying levels of testing available for use with the Nessus client. Before trying anything familiarize yourself with the available plug-ins, preferences, scan options, and target selection possibilities. Security scans can be customized to be extremely nonintrusive and last for several hours, or they can blast away at a network or a single box while employing all the local machine's available CPU power and memory to run the scan.

Figure 4-2 is a sample screenshot of available plug-ins that can be enabled during a test scan. Note the checkboxes to the far-right of the listed plug-ins.

Figure 4-2
Figure 4-2. Enable or disable available plug-ins in Nessus depending on the type of scan

A typical network scan can include multiple servers or systems at the same time. The more machines you select to scan, however, the higher the CPU load on your system and the slower the results. A typical scan can also be run overnight to reduce the load on the system and minimize the effect on the target systems. When complete, the scan's final results are displayed in a window much like that shown in Figure 4-3. Here you can burrow down into the findings and view the warnings, notes, or security holes detected by Nessus, along with recommended solutions.

Figure 4-3
Figure 4-3. Viewing the final Nessus report

Save the report when it's done. It can be useful later when running follow-up scans. The report itself is saved in a variety of formats, including NBE (a proprietary Nessus format), NSR (an older deprecated Nessus style), XML, HTML, LaTeX, ASCII text, or even in HTML format with pies and graphs. The last option makes for clean presentations when you are presenting findings to an audience.

Since Nessus attempts hundreds of different checks against the target systems, it generates many alerts with a wide variety of signatures. Here is a sample of the Snort output from a Nessus scan:

[**] [1:1228:3] SCAN nmap XMAS [**]
[Classification: Attempted Information Leak] [Priority: 2] 
03/21-22:01:41.686864 -& gt;
TCP TTL:38 TOS:0x0 ID:1147 IpLen:20 DgmLen:60
**U*P**F Seq: 0xEB5E3384  Ack: 0x0  Win: 0xC00  TcpLen: 40  UrgPtr: 0x0
TCP Options (5) =& gt; WS: 10 NOP MSS: 265 TS: 1061109567 0 EOL 
[Xref =& gt;]

[**] [1:2385:3] NETBIOS SMB DCE/RPC NTLMSSP invalid mechlistMIC attempt [**]
[Classification: Attempted Denial of Service] [Priority: 2] 
03/21-22:01:47.771281 -& gt;
TCP TTL:64 TOS:0x0 ID:14271 IpLen:20 DgmLen:269 DF
***AP*** Seq: 0x737329C2  Ack: 0xF9186CC  Win: 0x16D0  TcpLen: 32
TCP Options (3) =& gt; NOP NOP TS: 1654636883 34559859 
[Xref =& gt;]
[Xref =& gt;]
[Xref =& gt;]

[**] [1:2251:4] NETBIOS DCERPC Remote Activation bind attempt [**]
[Classification: Attempted Administrator Privilege Gain] [Priority: 1] 
03/21-22:01:48.364347 -& gt;
TCP TTL:64 TOS:0x0 ID:14354 IpLen:20 DgmLen:256 DF
***AP*** Seq: 0x73FB71F0  Ack: 0x957540DC  Win: 0x16D0  TcpLen: 32
TCP Options (3) =& gt; NOP NOP TS: 1654637476 0 
[Xref =& gt;]
[Xref =& gt;]
[Xref =& gt;]
[Xref =& gt;]

Pages: 1, 2, 3, 4

Next Pagearrow

Sponsored by: